CloseAll_4.8-setup.exe
This report is generated from a file or URL submitted to this webservice on April 29th 2021 18:20:01 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 2 domains. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/69 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/72 Antivirus vendors marked dropped file "CloseAll.exe" as malicious (classified as "BScope.Backdoor" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistence
-
Writes data to a remote process
- details
-
"CloseAll_4.8-setup.exe" wrote 32 bytes to a remote process "%TEMP%\shexp.exe" (Handle: 612)
"CloseAll_4.8-setup.exe" wrote 52 bytes to a remote process "%TEMP%\shexp.exe" (Handle: 612)
"CloseAll_4.8-setup.exe" wrote 4 bytes to a remote process "%TEMP%\shexp.exe" (Handle: 612) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "shexp.exe" at 00069903-00002684-00000105-6620023
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"rkupStaticExtension@@" (Indicator: "icext")
"D$PDHEDDL$PFhH\$@D;}fExD;}IcExtH;^h}nHF`HIHBt D;|HqD;|=H`DL$PFhADL$PD;|H\$@Hl$HHt$XH A_A^_\H\$Hl$Ht$WH Ah3H~53Hx;}H;]h}@HE`H43Hu#EhH;|3H\$0Hl$8Ht$@H _H@SH0HIHHHD$ bHHHH0[H\$Hl$Ht$WH yhHHcx0Hx;}h}H;]h}<HE`H43HuHy3H\$0Hl$8Ht$@H _H5H\$Hl$VWAVH HHHT$@E3ADt$@D$@D@GhEDDD$@D;}W~RExD;}IcExUH;Gh}OHO`HIH/tHcDD$@GhADD$@D;|H\$HHl$PH A^_^hHHH\$Hl$Ht$H|$ AVH Ah3L~B3fDHx;}I;^h}MIF`H43H}tt,AFhH;|3H\$0Hl$8Ht$@H|$HH A^HH\$Hl$VAVAWH Lcqh3LHM~VH|$@DHx8;uh}3H;]h}PHE`H<Ht HtIWhIOXLQGHI;|H|$@H\$HHl$PH A_A^^H\$Hl$Ht$WH Ah3H~5Hx";}H;^h};HF`HHtKtFhH;|H\$0Hl$8Ht$@H _H\$Hl$Ht$WH HH3~fHH;t;|H\$0Hl$8Ht$@H _H(DAhLAIcxHx)I;Ah}#II`H9tAHyH(AH(H\$Ht$WH IHyH\$0Ht$8H _=" (Indicator: "icext") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Environment Awareness
-
Reads the active computer name
- details
-
"CloseAll_4.8-setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"shexp.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "shexp.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Reads configuration files
- details
-
"CloseAll_4.8-setup.exe" read file "%TEMP%\nse6B74.tmp\ioSpecial.ini"
"CloseAll_4.8-setup.exe" read file "%WINDIR%\win.ini"
"CloseAll_4.8-setup.exe" read file "%PROGRAMFILES%\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Chained signature (with api-8700...). Detects file write then launch as executable
- details
- Chained signature (with api-8700...). Detects file write then launch as executable
- source
- API Call
- relevance
- 8/10
-
Creates new processes
- details
- "CloseAll_4.8-setup.exe" is creating a new process (Name: "%TEMP%\shexp.exe", Handle: 612)
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"uninst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CloseAll.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"shexp.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "CloseAll_4.8-setup.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Chained signature (with api-8700...). Detects file write then launch as executable
-
System Destruction
-
Marks file for deletion
- details
-
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nsk6B44.tmp" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\InstallOptions.dll" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\ioSpecial.ini" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\modern-header.bmp" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\modern-wizard.bmp" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\reinstall.ini" for deletion
"C:\CloseAll_4.8-setup.exe" marked "%TEMP%\nse6B74.tmp\System.dll" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"CloseAll_4.8-setup.exe" opened "%TEMP%\nsk6B44.tmp" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\InstallOptions.dll" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\ioSpecial.ini" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\modern-header.bmp" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\modern-wizard.bmp" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\reinstall.ini" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\System.dll" with delete access
"CloseAll_4.8-setup.exe" opened "%TEMP%\nse6B74.tmp\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"uninst.exe" claimed CRC 122048 while the actual is CRC 2965064
"shexp.exe" claimed CRC 82885 while the actual is CRC 32343 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegEnumKeyW
RegOpenKeyExW
RegDeleteKeyW
CopyFileW
GetModuleFileNameW
GetFileAttributesW
GetFileSize
GetCommandLineW
LoadLibraryExW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
GetModuleHandleA
CreateThread
FindNextFileW
GetTempPathW
FindFirstFileW
GetModuleHandleW
WriteFile
CreateFileW
CreateProcessW
Sleep
GetTickCount
ShellExecuteExW
FindWindowExW
LoadLibraryW
VirtualProtect
VirtualAlloc
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
GetVersionExW
ShellExecuteW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"CloseAll_4.8-setup.exe" wrote bytes "48120000" to virtual address "0x753E139C" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "48120000" to virtual address "0x753E12DC" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "48123e75" to virtual address "0x753F83DC" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "b81015876effe0" to virtual address "0x753E11F8" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "b88011876effe0" to virtual address "0x75981368" (part of module "WS2_32.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8110000" to virtual address "0x753E12CC" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8113e75" to virtual address "0x753F834C" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8110000" to virtual address "0x753E1408" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "b89012876effe0" to virtual address "0x753E1248" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "c04e687720546977e0656977b5386a770000000000d08d7500000000c5ea8d750000000088ea8d7500000000e9685f7582286a77ee296a7700000000d2695f75000000007dbb8d750000000009be5f7500000000ba188d7500000000" to virtual address "0x75971000" (part of module "NSI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "48123e75" to virtual address "0x753F8348" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8113e75" to virtual address "0x753F8368" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "68130000" to virtual address "0x75981680" (part of module "WS2_32.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8113e75" to virtual address "0x753F83C4" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "48123e75" to virtual address "0x753F8364" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "d0554a76647353760000000051c1a2759498a275ee9ca27575dca475273ea4750fb3a87500000000acdc8d751bf78d75c1088f75c0d98d75152e8d7536da8d75d5d98d7530c68d75e0c28d7542c68d751bc68d7586c48d7572c68d7500000000" to virtual address "0x70FC1000" (part of module "SHFOLDER.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "48123e75" to virtual address "0x753F83C0" (part of module "SSPICLI.DLL")
"CloseAll_4.8-setup.exe" wrote bytes "f8113e75" to virtual address "0x753F83E0" (part of module "SSPICLI.DLL")
"shexp.exe" wrote bytes "48120000" to virtual address "0x753E139C" (part of module "SSPICLI.DLL")
"shexp.exe" wrote bytes "48120000" to virtual address "0x753E12DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "CloseAll_4.8-setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 22
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44145680
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44458846
"CloseAll_4.8-setup.exe" queries volume information of "%PROGRAMFILES%\CloseAll\CloseAll.exe" at 00064529-00003500-0000010C-44459617
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44480500
"CloseAll_4.8-setup.exe" queries volume information of "%PROGRAMFILES%\CloseAll\CloseAll.exe" at 00064529-00003500-0000010C-44481744
"CloseAll_4.8-setup.exe" queries volume information of "%PROGRAMFILES%\CloseAll\CloseAll.exe" at 00064529-00003500-0000010C-339563718 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44145680
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44458846
"CloseAll_4.8-setup.exe" queries volume information of "C:\" at 00064529-00003500-0000010C-44480500 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"CloseAll_4.8-setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CLOSEALL")
"CloseAll_4.8-setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CLOSEALL_4.8-SETUP.EXE")
"CloseAll_4.8-setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CLOSEALL_4.8-SETUP.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contacts domains
- details
-
"crt.usertrust.com"
"ocsp.sectigo.com" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"CloseAll_4.8-setup.exe" created file "%TEMP%\nse6B74.tmp\System.dll"
"CloseAll_4.8-setup.exe" created file "%TEMP%\nse6B74.tmp\ioSpecial.ini"
"CloseAll_4.8-setup.exe" created file "%TEMP%\nse6B74.tmp\modern-wizard.bmp"
"CloseAll_4.8-setup.exe" created file "%TEMP%\nse6B74.tmp\modern-header.bmp" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "uninst.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "shexp.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "InstallOptions.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "CloseAll_4.8-setup.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E690000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"CloseAll_4.8-setup.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"CloseAll_4.8-setup.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"CloseAll_4.8-setup.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"CloseAll_4.8-setup.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"CloseAll_4.8-setup.exe" touched "Microsoft AutoComplete" (Path: "HKCU\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"CloseAll_4.8-setup.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"CloseAll_4.8-setup.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"shexp.exe" touched "ShellWindows" (Path: "HKCU\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")
"shexp.exe" touched "PSOAInterface" (Path: "HKCU\CLSID\{00020424-0000-0000-C000-000000000046}")
"shexp.exe" touched "PSDispatch" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}")
"shexp.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"CloseAll_4.8-setup.exe" searching for class "#32770"
"CloseAll_4.8-setup.exe" searching for class "CLOSEALL-E9E28FF9-6801-4809-BD8F-1227DA13C2F7" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "shexp.exe" with commandline "/NONELEVATED "%PROGRAMFILES%\CloseAll\CloseAll.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "shexp.exe" with commandline "/NONELEVATED "%PROGRAMFILES%\CloseAll\CloseAll.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" (SHA1: 8A:D5:C9:98:7E:6F:19:0B:D6:F5:41:6E:2D:E4:4C:CD:64:1D:8C:DA; see report for more information)
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: 85:48:71:D1:4F:C2:B5:B1:24:F8:DC:07:13:2D:74:76:67:4E:9C:33; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO Time Stamping CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: 48:8E:CF:B1:EC:D6:27:14:E9:E4:6E:6A:A1:74:08:C5:5A:7A:55:B5; see report for more information)
The input sample is signed with a certificate issued by "CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: 01:56:74:BC:7D:09:6B:7C:FC:D5:DC:31:49:51:24:96:B9:4D:17:63; see report for more information)
The input sample is signed with a certificate issued by "CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US" (SHA1: 94:C9:5D:A1:E8:50:BD:85:20:9A:4A:2A:F3:E1:FB:16:04:F9:BB:66; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "924ed7fd58ad55404571f33c291bbd2a8ac47f5a40bb8653cde131f9a6e0ca43.bin" (Offset: 1235725)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Accessed IE Quick Launch directory
- details
- "CloseAll_4.8-setup.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\CloseAll.lnk" (Type: "FileHandle")
- source
- Touched Handle
- relevance
- 10/10
-
Connects to LPC ports
- details
-
"CloseAll_4.8-setup.exe" connecting to "\ThemeApiPort"
"shexp.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"uninst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CloseAll.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Apr 18 07:12:08 2020 mtime=Thu Apr 29 16:23:00 2021 atime=Sat Apr 18 07:12:08 2020 length=4162600 window=hide"
"CloseAll.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"shexp.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 164 x 314 x 8"
"History.rtf" has type "Rich Text Format data version 1 ANSI"
"nse6B73.tmp" has type "data"
"reinstall.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"ioSpecial.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"ReadMe.txt" has type "Non-ISO extended-ASCII text with CRLF line terminators"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 150 x 57 x 8"
"License.rtf" has type "Rich Text Format data version 1 ANSI" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"CloseAll_4.8-setup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"CloseAll_4.8-setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"CloseAll_4.8-setup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"CloseAll_4.8-setup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloseAll"
"CloseAll_4.8-setup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloseAll\CloseAll Homepage.url"
"CloseAll_4.8-setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"CloseAll_4.8-setup.exe" touched file "C:\Windows\System32\oleaccrc.dll"
"CloseAll_4.8-setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"CloseAll_4.8-setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"CloseAll_4.8-setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db"
"CloseAll_4.8-setup.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"CloseAll_4.8-setup.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"CloseAll_4.8-setup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloseAll\CloseAll.lnk"
"CloseAll_4.8-setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"CloseAll_4.8-setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"CloseAll_4.8-setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs"
"CloseAll_4.8-setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\CloseAll"
"CloseAll_4.8-setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\CloseAll\CloseAll Homepage.url"
"CloseAll_4.8-setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"CloseAll_4.8-setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db" - source
- API Call
- relevance
- 7/10
-
Accessed IE Quick Launch directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/AddTrustExternalCARoot.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl0t"
Pattern match: "crt.usertrust.com/UTNAddTrustObject_CA.crt0%"
Pattern match: "https://sectigo.com/CPS0B"
Pattern match: "crl.sectigo.com/COMODOTimeStampingCA_2.crl0r"
Pattern match: "crt.sectigo.com/COMODOTimeStampingCA_2.crt0#"
Pattern match: "http://ocsp.sectigo.com0"
Pattern match: "https://sectigo.com/CPS0C"
Pattern match: "crl.sectigo.com/SectigoRSACodeSigningCA.crl0s"
Pattern match: "crt.sectigo.com/SectigoRSACodeSigningCA.crt0#"
Pattern match: "http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v"
Pattern match: "crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%"
Pattern match: "https://sectigo.com/CPS0D"
Pattern match: "crl.sectigo.com/SectigoRSATimeStampingCA.crl0t"
Pattern match: "crt.sectigo.com/SectigoRSATimeStampingCA.crt0#"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "crt.usertrust.com"
Heuristic match: "ocsp.sectigo.com"
Pattern match: "https://www.ntwind.com/software/closeall.html"
Pattern match: "http://www.ntwind.com/software/utilities/close-all.html"
Pattern match: "www.ntwind.com/software/closeall.htmlopen"
Pattern match: "continue.Add/Reinstall"
Pattern match: "HI.Mt/IHX`HIuIHHhII;3IYpu3!7x"
Heuristic match: "s%uHHHrHtHAu?=wh#rhhDh@l9ht,HO@&&HHtHO@E3E3j&H\$PHl$XHt$`H A_A^A]A\_bH\$Ht$WH HD.H#HcH8HoE3LHHH\$0Ht$8H _HH\$Ht$WH HHvH HtHHHHHH\$0Ht$8H _@t3HI@MLbH%*&H\$WH H>%HxHt6H9_@u0%HtHHHH`H\$0H _H\$Ht$WH H HHtHHHDHtHpH\$0Ht$8H _@SH HHt.tH"
Pattern match: "http://www.foood.net/"
Pattern match: "http://www.ntwind.com"
Heuristic match: "Contact the developer personally by email: alexander@ntwind.com"
Heuristic match: "Email: alexander@ntwind.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"CloseAll_4.8-setup.exe" opened "\Device\KsecDD"
"shexp.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "shexp.exe" was detected as "Visual C++ 2005 Release -> Microsoft"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
CloseAll_4.8-setup.exe
- Filename
- CloseAll_4.8-setup.exe
- Size
- 2.8MiB (2939744 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 924ed7fd58ad55404571f33c291bbd2a8ac47f5a40bb8653cde131f9a6e0ca43
- MD5
- 92b380f2f0fbb3d876e744d65d586735
- SHA1
- b352ab8296196c0dd4e2b35bdfdf4a7268d4abdf
- ssdeep
- 49152:GL9JdiBMG3cyXs3gkUWhJc8Z7f8zFLCcz+Y49InG0XQULnrYecxmTmH3a3l3h7zv:e9J4OG3fkQOJb7f8zFmczA9KXXvrYPBC
- imphash
- 24f4223e271413c25abad52fd456a9bc
- authentihash
- 0c35a6e2553e284a22f71e3666595d55fc302338b5c62667a7c579c035d49839
Version Info
- LegalCopyright
- 2020 NTWind Software
- FileVersion
- 4.8.0.0
- CompanyName
- NTWind Software
- ProductName
- CloseAll
- ProductVersion
- 4.8.0.0
- FileDescription
- CloseAll Setup
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 41.0% (.EXE) Win32 Executable MS Visual C++ (generic)
- 36.3% (.EXE) Win64 Executable (generic)
- 8.6% (.DLL) Win32 Dynamic Link Library (generic)
- 5.9% (.EXE) Win32 Executable (generic)
- 2.6% (.EXE) OS/2 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 10 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 15 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (16KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial: 421af2940984191f520a4bc62426a74b |
06/07/2005 08:09:10 05/30/2020 10:48:38 |
FF:5F:BC:42:90:FA:38:9E:79:84:67:EB:D7:AE:94:0B 8A:D5:C9:98:7E:6F:19:0B:D6:F5:41:6E:2D:E4:4C:CD:64:1D:8C:DA |
CN=COMODO Time Stamping CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 625c4d908cd542fbab2ea5733ff15419 |
04/27/2011 00:00:00 05/30/2020 10:48:38 |
77:D5:E6:70:55:1A:4E:0B:35:35:D9:AE:96:02:B0:59 85:48:71:D1:4F:C2:B5:B1:24:F8:DC:07:13:2D:74:76:67:4E:9C:33 |
CN=Sectigo SHA-1 Time Stamping Signer, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO Time Stamping CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2b73db7463114c5a5b324af230577249 |
05/02/2019 00:00:00 05/30/2020 10:48:38 |
84:11:48:90:D1:F5:CB:6B:82:CE:1D:34:61:00:34:26 48:8E:CF:B1:EC:D6:27:14:E9:E4:6E:6A:A1:74:08:C5:5A:7A:55:B5 |
CN=NTWind Software, O=NTWind Software, STREET=Menshikovsky pr. 3-25, L=Saint Petersburg, OID.2.5.4.17=195067, C=RU | CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB Serial: c20d42f4f000c62506cbb00d86eba50b |
03/31/2020 00:00:00 06/29/2023 23:59:59 |
AC:76:D2:DF:53:F6:8F:28:7E:24:89:B2:CB:00:45:E1 01:56:74:BC:7D:09:6B:7C:FC:D5:DC:31:49:51:24:96:B9:4D:17:63 |
CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB | CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US Serial: 1da248306f9b2618d082e0967d33d36a |
11/02/2018 00:00:00 12/31/2030 23:59:59 |
2A:E0:F3:CA:4D:29:1B:47:8B:75:A0:4C:4C:1E:10:42 94:C9:5D:A1:E8:50:BD:85:20:9A:4A:2A:F3:E1:FB:16:04:F9:BB:66 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
CloseAll_4.8-setup.exe
(PID: 3500)
1/69
- shexp.exe /NONELEVATED "%PROGRAMFILES%\CloseAll\CloseAll.exe" (PID: 2684)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
crt.usertrust.com
OSINT |
91.199.212.52
TTL: 397 |
CSC CORPORATE DOMAINS, INC.
Organization: Comodo Group, Inc. Name Server: NS0.COMODODNS.COM Creation Date: Fri, 05 Dec 1997 00:00:00 GMT |
United Kingdom |
ocsp.sectigo.com |
151.139.128.14
TTL: 2184 |
- | United States |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 14 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
CloseAll.exe
- Size
- 4MiB (4162600 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "BScope.Backdoor" (1/72)
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 34840ab73461de38c1d95eeecfa89eed
- SHA1
- 5e4dc69b7602a22a0d3aff8545546fdf8b7f90c9
- SHA256
- 7f3daaa794a174721b180d6fccaf4de721ffd334dc555f66a32e87a541e0a89c
-
-
Clean 4
-
-
uninst.exe
- Size
- 87KiB (88728 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/71
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 58d90fbb74748af37afb86083b5967f2
- SHA1
- 33806823ee23a2484ccbe590d2ca4df2435a0fc8
- SHA256
- 7eb9577e0fd9c68c7b0d65b8d799694935c13aa7ee21452b3827afd0b395cf17
-
InstallOptions.dll
- Size
- 16KiB (15872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 09d8971beefefffd710030dd167a99e0
- SHA1
- a0117786ad77213f3eb48cfdc3819786cb796b7d
- SHA256
- caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95
-
System.dll
- Size
- 12KiB (12288 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 8cf2ac271d7679b1d68eefc1ae0c5618
- SHA1
- 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
- SHA256
- 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
-
shexp.exe
- Size
- 20KiB (20584 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 3bb8823f7a9b8c17b5a109696d1cce74
- SHA1
- 0048f5144e34fa40e16a39bccf1d985c3e7af935
- SHA256
- fab57edcc30f286afd5dc49dffd78b57d817e215a5f07a140aeac98330c5c506
-
-
Informative 9
-
-
CloseAll.lnk
- Size
- 989B (989 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Apr 18 07:12:08 2020, mtime=Thu Apr 29 16:23:00 2021, atime=Sat Apr 18 07:12:08 2020, length=4162600, window=hide
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- d98a541087da03822a904ad78f948a0f
- SHA1
- 3d68f36d126dd6c3f3046231a503445a4654da0c
- SHA256
- 6c64a2ce8a21bd305cf023303ee40056f172ff9e7c631c0826d4cdc9fdd17c2d
-
History.rtf
- Size
- 5.6KiB (5746 bytes)
- Type
- rtf
- Description
- Rich Text Format data, version 1, ANSI
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 14c7bdbff9d5c3f1d5b3f66f208a5f0d
- SHA1
- 25ca804ca7007bf59e1bb7f98b05bf807c50dfbd
- SHA256
- 0d2a42ef6219abfbe7f9f451d7e849b4c4306093c6e50c9f9a1940c5a688a246
-
License.rtf
- Size
- 6.8KiB (7004 bytes)
- Type
- rtf
- Description
- Rich Text Format data, version 1, ANSI
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 35f746c50163cb0475ebf7febf84c605
- SHA1
- bdf55c2a31f6df76d0ec26046271294e248c5660
- SHA256
- 9d35df00da37afb136c2f9cdec65a4f00ec801042a2f327d81e36bc157ca3275
-
ReadMe.txt
- Size
- 1.5KiB (1501 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with CRLF line terminators
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- c90f109ae7987a6b341a3d892759cc95
- SHA1
- 5a42b1b6d997f40d6fa24fc7a5ecf50cba740c3e
- SHA256
- 6614b134a0f6b81b46ce247506c1f25593728129a6738b9a0904e357427e54e7
-
nse6B73.tmp
- Size
- 5MiB (5217563 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 017bbe7f541dc58a0f41b4d90e7ca86e
- SHA1
- 514c04e1077399cdc6c770de922e1c5021da8c8f
- SHA256
- 8ab029abc60fd0eb292d374b717ff34545c649dfb33b81835e1d65e08ff94ee3
-
ioSpecial.ini
- Size
- 1.4KiB (1466 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 1ba969dfc3817953391451d9b4e70a37
- SHA1
- 50c25b188b28feca37e6d808aba9252ba8a8f44c
- SHA256
- e640e0bcf2e6bf7e5f2d4730e1d72bac8a96d9cd86f89473c99c323d76da35e5
-
modern-header.bmp
- Size
- 9.5KiB (9742 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 150 x 57 x 8
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 3b238f5e2945408969a335523d4d12f9
- SHA1
- 44bdae1a5abe931d2629ef67a921b096eb1713cd
- SHA256
- 50c2d47213812e571f247035a4042b28e02da12e74baed35a7a3f07d305dae81
-
modern-wizard.bmp
- Size
- 51KiB (52574 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 164 x 314 x 8
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- 8e66dcb706d065411d93625dcd29bed6
- SHA1
- 0735e8b42fea18d19db6b93f6fb0e67800534cd0
- SHA256
- a3cce4ba33f229d505f8639dd8808b85d832cb52e96ab1b2cfe51ff95bd4dadf
-
reinstall.ini
- Size
- 486B (486 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- CloseAll_4.8-setup.exe (PID: 3500)
- MD5
- f1ba76612034bc3bddf073154fbe46fc
- SHA1
- 65cd4040a022e3c18ac9be3aa1b646d65adb2763
- SHA256
- 07633604d04d01d81cc29f56205501e4523c8248879a11b5981066016e1c64d5
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report